NPM debug and chalk packages compromised

(www.aikido.dev)

1369 points universesquid | 5 comments | 08 Sep 25 15:37 UTC | HN request time: 0.583s | source

https://github.com/advisories/GHSA-8mgj-vmr8-frr6

Show context

junon ◴[08 Sep 25 15:49 UTC] No.45169794[source]▶

>>45169657 (OP) #

Hi, yep I got pwned. Sorry everyone, very embarrassing.

More info:

- https://github.com/chalk/chalk/issues/656

- https://github.com/debug-js/debug/issues/1005#issuecomment-3...

Affected packages (at least the ones I know of):

- ansi-styles@6.2.2

- debug@4.4.2 (appears to have been yanked as of 8 Sep 18:09 CEST)

- chalk@5.6.1

- supports-color@10.2.1

- strip-ansi@7.1.1

- ansi-regex@6.2.1

- wrap-ansi@9.0.1

- color-convert@3.1.1

- color-name@2.0.1

- is-arrayish@0.3.3

- slice-ansi@7.1.1

- color@5.0.1

- color-string@2.1.1

- simple-swizzle@0.2.3

- supports-hyperlinks@4.1.1

- has-ansi@6.0.1

- chalk-template@1.1.1

- backslash@0.2.1

It looks and feels a bit like a targeted attack.

Will try to keep this comment updated as long as I can before the edit expires.

---

Chalk has been published over. The others remain compromised (8 Sep 17:50 CEST).

NPM has yet to get back to me. My NPM account is entirely unreachable; forgot password system does not work. I have no recourse right now but to wait.

Email came from support at npmjs dot help.

Looked legitimate at first glance. Not making excuses, just had a long week and a panicky morning and was just trying to knock something off my list of to-dos. Made the mistake of clicking the link instead of going directly to the site like I normally would (since I was mobile).

Just NPM is affected. Updates to be posted to the `/debug-js` link above.

Again, I'm so sorry.

replies(39): >>45169833 #>>45169877 #>>45169899 #>>45169922 #>>45170115 #>>45170202 #>>45170608 #>>45170631 #>>45170738 #>>45170943 #>>45171084 #>>45171127 #>>45171420 #>>45171444 #>>45171619 #>>45171648 #>>45171666 #>>45171859 #>>45172334 #>>45172346 #>>45172355 #>>45172660 #>>45172846 #>>45174599 #>>45174607 #>>45175160 #>>45175246 #>>45176250 #>>45176355 #>>45176505 #>>45177184 #>>45177316 #>>45178543 #>>45178719 #>>45182153 #>>45183937 #>>45194407 #>>45194912 #>>45229781 #

winwang ◴[08 Sep 25 16:21 UTC] No.45170202[source]▶

>>45169794 #

Just want to agree with everyone who is thanking you for owning up (and so quickly). Got phished once while drunk in college (a long time ago), could have been anyone. NPM being slowish to get back to you is a bit surprising, though. Seems like that would only make attacks more lucrative.

replies(3): >>45172493 #>>45173347 #>>45175107 #

sneak ◴[08 Sep 25 22:46 UTC] No.45175107[source]▶

>>45170202 #

Can happen to anyone… who doesn’t use password manager autofill and unphishable 2FA like passkeys.

Most people who get phished aren’t using password managers, or they would notice that the autofill doesn’t work because the domain is wrong.

Additionally, TOTP 2FA (numeric codes) are phishable; stop using them when U2F/WebAuthn/passkeys are available.

I have never been phished because I follow best practices. Most people don’t.

replies(5): >>45175125 #>>45176489 #>>45181184 #>>45207329 #>>45207370 #

junon ◴[08 Sep 25 22:48 UTC] No.45175125[source]▶

>>45175107 #

I use a password manager. I was mobile, the autofill stuff isn't installed as I don't use it often on my phone.

In 15 years of maintaining OSS, I've never been pwned, phished, or anything of the sort.

Thank you for your input :)

replies(5): >>45175912 #>>45176071 #>>45176258 #>>45177707 #>>45179111 #

yawaramin ◴[09 Sep 25 05:20 UTC] No.45177707[source]▶

>>45175125 #

I'm angry about this. Large megacorps with the budget of medium-sized countries allocate the minimum amount of budget to maintain their auth systems and still allow the use of phishable auth methods. If npm disabled passwords and forced people to use passkeys, this huge problem just disappears tomorrow.

But instead, we're left with this mess where ordinary developers are forced to deal with the consequences of getting phished.

replies(1): >>45178575 #

1. hdjrudni ◴[09 Sep 25 07:15 UTC] No.45178575[source]▶

>>45177707 #

Passkeys can be a pain in the ass too. Evidentially I set up my Yubikey with Github as some point, which is fine if I'm at my desktop where my key is plugged in, but if I want to sign in on mobile.... now what? I just couldn't log in on mobile for months until I realized I think there's a button on there somewhere that's like "use different 2fa" but then what was even the point of having a key registered if it can be bypassed.

replies(4): >>45178662 #>>45179088 #>>45181989 #>>45182928 #

2. dchest ◴[09 Sep 25 07:29 UTC] No.45178662[source]▶

>>45178575 (TP) #

While you can setup passkeys with YubiKey, the most common intended use case is key pairs that are synchable via your Apple/Google/password manager account. So, once you add a passkey, you'll be able to sign in on mobile with it automatically.

3. sneak ◴[09 Sep 25 08:20 UTC] No.45179088[source]▶

>>45178575 (TP) #

You can use software u2f (iCloud supports this), you don’t need Yubikeys.

Also, Yubikeys work on phones just fine, via both NFC and USB.

4. nialv7 ◴[09 Sep 25 13:57 UTC] No.45181989[source]▶

>>45178575 (TP) #

you can use yubikeys for both passkey and password+2fa. this way you aren't bypassing anything. and btw, you can get USB-C yubikeys so you can plug it into your phone. if even that's not an option, you can get a USB-C to USB-A adapter.

5. yawaramin ◴[09 Sep 25 15:05 UTC] No.45182928[source]▶

>>45178575 (TP) #

> but if I want to sign in on mobile.... now what?

Just set up a new passkey on the mobile device.

↑